Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft: Cloud Environments of US Organizations Targeted in Ransomware Attacks

A threat actor has been compromising the hybrid cloud environments of US organizations in multiple sectors.

The cybercriminal gang tracked as Storm-0501 is targeting hybrid cloud environments of US organizations in multiple sectors, Microsoft warns.

A financially motivated group relying on commodity and open source tools for ransomware deployments, Storm-0501 has been active since 2021, when it was using the Sabbath ransomware in attacks against US schools.

Since then, the threat actor has been operating as a ransomware-as-a-service (RaaS) affiliate, deploying the Alphv/BlackCat, Hive, Hunters International, LockBit, and Embargo ransomware families.

While the group’s attacks are opportunistic, Microsoft has observed Storm-0501 mounting a multi-stage assault to compromise the hybrid cloud environments of multiple US organizations in the government, law enforcement, manufacturing, and transportation sectors.

The threat actor moved laterally from the compromised organizations’ on-premises environment to their cloud, gaining persistent backdoor access, stealing credentials and data, and deploying ransomware.

“Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environments to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment,” Microsoft explains.

The threat actor obtained access to victims’ environments from access brokers, by either using compromised credentials or exploiting known vulnerabilities in Citrix NetScaler (CVE-2023-4966), Zoho ManageEngine (CVE-2022-47966), and Adobe ColdFusion (CVE-2023-29300 or CVE-2023-38203).

Following initial access and gaining remote code execution, the threat actor obtained administrative privileges to the targeted device or network, performed reconnaissance, and deployed remote monitoring and management tools (RMMs).

Advertisement. Scroll to continue reading.

Leveraging the obtained admin privileges, the group also harvested credentials over the network to compromise additional devices and likely performed brute force attacks to gain access to several accounts.

Storm-0501 was seen deploying a Cobalt Strike beacon for lateral movement and compromising a Domain Admin to access the domain controller and deploy ransomware across all connected devices.

In a recent campaign, the threat actor was seen using Microsoft Entra ID credentials to move laterally from the on-premises to the cloud environment, where it created a new federated domain in the tenant, which provided it with persistent backdoor access.

In many instances, after gaining extensive control over the network, Storm-0501 deployed the Embargo ransomware across the victim organization’s network via a scheduled task.

Related: Threat Actors Target Accounting Software Used by Construction Contractors

Related: Researchers Discover Way to Attack SharePoint and OneDrive Files With Ransomware

Related: Shutterfly Employee Data Compromised in Ransomware Attack

Related: Data of Puma Employees Stolen in Kronos Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.